Obligation to Notify Subjects of Data Breaches

The EU's roll-out of GDPR, going into effect on May 25, 2018, imposes further obligations on companies. GDPR mandates businesses have clear notification processes for data breaches. If a company violates protection obligations of personal data, the incident must be reported to the relevant supervisory authority within 72 hours.

Data leaks can arise in many ways, be it through external data theft…

Infringement of personal data can take various forms. For instance, external targeted attacks (e.g. hackers) often involve stolen data. However, data breaches can happen in other ways. Even ”accidents”, such as a lost briefcase containing customer information or an email accidentally sent to the wrong recipient, may constitute a personal data violation.

Reporting a data breach requires the data processor to provide certain information to authorities. For example, a category must be assigned to the data infringement and an estimate must be made on the scope of persons affected. The data processor must also estimate possible consequences or potential damages as a result of the data infringement. If there is a conviction, any measures already taken to protect personal data will reduce the sentence. Possible measures that companies can take to ensure data breaches do not occur include, for example, the monitoring of data centers to protect against unauthorized access, or the systematic monitoring of all data processing operations. In addition to reporting data breaches to the supervisory authority in accordance with Article 34 of GDPR, companies/data processors must also inform affected individuals about the data breach in a timely manner.

Managing data breaches is a question of risk management. If possible, data breaches should be detected and reported early on. With a timely approach, serious consequences, such as reputational damage or financial penalties, can be averted or at least mitigated.

… or by simple human error, such as the loss of physical customer lists or files.

Failure to do so can result in serious issues. A clear example of this is the recent Facebook scandal surrounding user data abuses. In this case, the company had failed to actively report its data breach and had not informed affected users of personal data abuses without being pressured to by third-parties with extensive delays. Facebook is now working to mitigate damage this caused to its reputation, which had a significant impact on the value of the company.

Efficient Management of Data Breach Notifications

In order to report data protection violations in a timely and efficient manner, companies need clear structures and processes. Digital tools are a particularly efficient way to centrally control reporting of GDPR violations. They can help to record incidents and document all details of a data breach. Using the digital tool, further actions to deal with a breach can be managed by trained staff, improving case management and workflow.

Data breaches must be reported in a timely manner as of May 25, 2018 with GDPR. Digital whistleblowing systems help to efficiently document and coordinate these processes.

Through our work with our clients, we now see that whistleblowing systems are also effective reporting channels for notification of data breaches. The perpetrator of a data breach can use this system to dutifully report his or her data breach (anonymously, if necessary) to the company's data protection officers. The company can then coordinate further internal processes via case management which is integrated in the system.

In the end, a digital reporting system kills two birds with one stone by meeting requirements of both whistleblower protection, and GDPR data norms. That's efficient risk management!

Curious to learn how a digital reporting system could look like. Don't hesitate to get in touch with me.